- within Technology, Antitrust/Competition Law and Insurance topic(s)
February 2026 – On Monday, 9 February 2026, the Czech National Cyber and Information Security Agency (“Czech Cybersecurity Authority”) issued and dispatched more than 4,800 administrative decisions designating providers of regulated services pursuant to the newly enacted Czech Cybersecurity Act. The expected number of regulated entities, however, exceeds 6,000.
In its press release of 11 February 2026, the Czech Cybersecurity Authority called on entities that had not yet done so to submit their notification of regulated services as soon as possible to avoid potential sanctions.
Background
The new Cybersecurity Act, which transposes the NIS2 Directive into Czech law, came into effect on 1 November 2025.
As of this date, organisations had 60 days to assess, on the basis of the Cybersecurity Act and the accompanying Decree on Regulated Services, whether, and under which regulatory regime, the new cybersecurity rules apply to them (higher or lower obligation regime), and to determine which regulated services they are required to notify to the Czech Cybersecurity Authority.
An organisation becomes a regulated service provider once the Czech Cybersecurity Authority delivers its registration decision. All further compliance deadlines under the Cybersecurity Act and related secondary legislation then run from that delivery date.
What happens next?
The number of decisions issued confirms that some organisations meeting the criteria have not yet filed their notifications or completed their internal “scoping analysis”. While the Czech Cybersecurity Authority has taken a cooperative approach and does not seek to impose sanctions for their own sake, it has clearly stated that statutory obligations must not be delayed. The length of non‑compliance may be considered in any subsequent administrative proceedings and may influence the level of any penalty imposed.
What you should do?
- Determine as soon as possible whether your organisation falls under the higher or lower obligation regime.
- If it does, notify your regulated services to the Czech Cybersecurity Authority without delay.
- Once your organisation receives the registration decision, you have one year to implement the required cybersecurity measures applicable to the relevant obligation regime and to begin reporting cybersecurity incidents to the Czech Cybersecurity Authority.
Kinstellar has already provided assistance on numerous occasions with the scoping and notification exercises. Should you have any questions regarding the above, our data governance and cybersecurity law experts stand ready to offer guidance and counsel.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
[View Source]
